UK healthcare group Bupa blames breach of 108,000 customer records on rogue employee

More than 500,000 customers of UK healthcare group Bupa are currently being informed about a data breach after an employee of its international health insurance division "inappropriately copied and removed" sensitive information before sharing it with others.

Officials from the division in question, known as Bupa Global, are warning its customers to be on high alert for phishing or fraud scams after the significant leak of personal data. It sent a letter this week (12 July) to potential victims saying the culprit had already been fired.

Sheldon Kenton, managing director of Bupa Global, said the stolen information – of 108,000 accounts in total - did not include any financial or medical data, but did feature names, dates of births, nationalities and some Bupa insurance membership numbers.

Not all of Bupa Global's 1.4 million international health insurance customers were affected, Kenton stressed. On the firm's website, he also uploaded a video to apologise directly to those hit by the leak.

"We are contacting those customers [...] as we believe the information has been made available to other parties," a statement read, without elaborating on the identities of the recipients.

"This was not a cyberattack or external data breach, but a deliberate act by an employee."

Bupa confirmed that it has introduced more security on its networks and said a "thorough investigation" is underway. It has also contacted the UK regulator – the Information Commissioner's Office (ICO) - and pledged to take "appropriate legal action" against the employee.

Security expert Graham Cluley revealed that in the email sent to victims Kenton wrote: "I am writing to let you know that some of your policy information has been inappropriately copied and removed from one of our systems by an employee who has subsequently been dismissed.

"We are contacting you to advise you to be vigilant, he added. "In cases such as this, fraudsters can seek to trick people by impersonating Bupa. You should always take particular care to double check the sender of any communication that asks for financial or other personal details."

The insider risk

On its website, Bupa advised customers to remain suspicious of anyone who contacts them via phone or email under the guise of the healthcare group in attempt to scam them. Security experts warned the leak shows the damage insiders can have on businesses.

"I have long thought that there is a huge amount of emphasis given to the threat posed by external hackers and internet threats, and maybe not enough focus made on the insider threat," Cluley wrote in a blog post published on 13 July.

"All it takes is one rogue employee, or indeed a careless worker, to cause a data breach that could cost your company millions and do untold damage to your brand."

Mark James, a commentator at cybersecurity firm ESET, noted: "There seems to be a clear indication of what was and was not stolen - with an emphasis on what's not - but any of the said data could be used in an attempt to scam or phish other details."

This article was updated to add comment from Bupa about the number of customers impacted.